Je, ikiwa uthibitishaji wa sababu mbili ni wa kuhitajika na wa prickly, lakini hakuna pesa kwa ishara za vifaa na kwa ujumla hutoa kukaa katika hali nzuri.
Suluhisho hili sio kitu cha asili kabisa, lakini ni mchanganyiko wa suluhisho tofauti zinazopatikana kwenye Mtandao.
Hivyo kupewa
Jina la Jina Active Directory.
Watumiaji wa kikoa wanaofanya kazi kupitia VPN, kama watu wengi leo.
Inafanya kazi kama lango la VPN Jitahidi.
Kuhifadhi nenosiri kwa mteja wa VPN ni marufuku na sera ya usalama.
Siasa Fortinet kwa uhusiano na ishara zako mwenyewe, huwezi kuiita chini ya zhlob - kuna tokeni 10 za bure, zingine - kwa bei isiyo ya kosher. Sikuzingatia RSSecureID, Duo na kadhalika, kwa sababu ninataka chanzo huria.
Masharti: mwenyeji * nix na imara freeradius, ssd - imeingia kwenye kikoa, watumiaji wa kikoa wanaweza kuthibitisha kwa urahisi juu yake.
Vifurushi vya ziada: sanduku la shellina, mtini, freeradius-ldap, fonti waasi.tlf kutoka kwa hazina
Katika mfano wangu - CentOS 7.8.
Mantiki ya kazi inapaswa kuwa kama ifuatavyo: wakati wa kuunganisha kwa VPN, mtumiaji lazima aingie kuingia kwa kikoa na OTP badala ya nenosiri.
Mpangilio wa huduma
В /etc/raddb/radiusd.conf tu mtumiaji na kikundi kwa niaba ambayo huanza freeradius, tangu huduma radius inapaswa kuwa na uwezo wa kusoma faili katika subdirectories zote / nyumbani /.
user = root
group = root
Ili kuweza kutumia vikundi katika mipangilio Jitahidi, lazima isambazwe Sifa Maalum ya Muuzaji. Ili kufanya hivyo, katika saraka raddb/sera.d Ninaunda faili iliyo na yaliyomo:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Baada ya ufungaji freeradius-ldap katika saraka raddb/mods-zinazopatikana faili imeundwa ldap.
Haja ya kuunda kiunga cha mfano kwenye saraka raddb/mods-imewezeshwa.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
Ninaleta yaliyomo kwenye fomu hii:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
Katika faili raddb/tovuti-zimewezeshwa/chaguo-msingi и raddb/sites-enabled/inner-handaki katika sehemu idhini Ninaongeza jina la sera itakayotumika - group_authorization. Jambo muhimu - jina la sera haijatambuliwa na jina la faili kwenye saraka sera.d, lakini kwa mwongozo ndani ya faili kabla ya braces curly.
Katika sehemu kuthibitisha katika faili sawa unahitaji kufuta mstari Pam.
Katika faili wateja.conf kuagiza vigezo ambavyo itaunganishwa Jitahidi:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Usanidi wa moduli pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Chaguo chaguomsingi za utekelezaji wa kifurushi freeradius с kiashiria cha google zinahitaji mtumiaji kuingiza kitambulisho katika umbizo: jina la mtumiaji/nenosiri+OTP.
Kwa kufikiria idadi ya laana ambayo itaanguka juu ya kichwa, katika kesi ya kutumia kifungu chaguo-msingi freeradius с Google Authenticator, iliamuliwa kutumia usanidi wa moduli Pam ili tu ishara inaweza kuangaliwa Google Authenticator.
Wakati mtumiaji anaunganisha, yafuatayo hufanyika:
- Freeradius hukagua ikiwa mtumiaji yuko kwenye kikoa na katika kikundi fulani na, ikifaulu, hukagua tokeni ya OTP.
Kila kitu kilionekana kuwa sawa vya kutosha hadi wakati nilipofikiria "Ninawezaje kusajili OTP kwa watumiaji 300+?"
Mtumiaji lazima aingie kwenye seva na freeradius na kutoka chini ya akaunti yako na endesha programu Kithibitishaji cha Google, ambayo itazalisha msimbo wa QR kwa programu kwa mtumiaji. Hapa ndipo msaada unapokuja. sanduku la shellina pamoja na .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
Faili ya usanidi wa daemon iko /etc/sysconfig/shellinabox.
Ninataja bandari 443 hapo na unaweza kutaja cheti chako.
[root@freeradius ~]#systemctl enable --now shellinaboxd
Mtumiaji anahitaji tu kufuata kiungo, kuweka mikopo ya kikoa na kupokea msimbo wa QR wa programu.
Algorithm ni kama ifuatavyo:
- Mtumiaji huingia kwenye mashine kupitia kivinjari.
- Ikiwa mtumiaji wa kikoa ameangaliwa. Ikiwa sivyo, basi hakuna hatua zinazochukuliwa.
- Ikiwa mtumiaji ni mtumiaji wa kikoa, uanachama katika kikundi cha Wasimamizi huangaliwa.
- Ikiwa si msimamizi, hukagua kama Kithibitishaji cha Google kimesanidiwa. Ikiwa sivyo, basi msimbo wa QR unatolewa na mtumiaji kuondoka.
- Ikiwa si msimamizi na Kithibitishaji cha Google kimesanidiwa, basi ondoka tu.
- Ikiwa msimamizi, basi angalia Kithibitishaji cha Google tena. Ikiwa haijasanidiwa, msimbo wa QR unatolewa.
Mantiki yote inafanywa kwa kutumia /etc/skel/.bash_profile.
paka /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Boresha usanidi:
- Tunaunda Umbali- seva
- Tunaunda vikundi muhimu, ikiwa ni lazima, udhibiti wa ufikiaji na vikundi. Jina la kikundi limewashwa Jitahidi lazima ilingane na kundi ambalo limepitishwa Sifa Maalum ya Muuzaji Jina la Kikundi-Fortinet.
- Kuhariri muhimu SSL-milango.
- Kuongeza vikundi kwenye sera.
Faida za suluhisho hili:
- Inawezekana kuthibitisha kwa OTP kwenye Jitahidi suluhisho la chanzo wazi.
- Mtumiaji haingii nenosiri la kikoa wakati wa kuunganisha kupitia VPN, ambayo hurahisisha mchakato wa uunganisho. Nenosiri la tarakimu 6 ni rahisi kuingia kuliko lile lililotolewa na sera ya usalama. Kwa hivyo, idadi ya tikiti zilizo na mada: "Siwezi kuunganisha kwa VPN" hupungua.
PS Tunapanga kuboresha suluhisho hili hadi uthibitishaji kamili wa vipengele viwili na majibu ya changamoto.
Update:
Kama ilivyoahidiwa, niliibadilisha kwa chaguo la kujibu changamoto.
Hivyo:
Katika faili /etc/raddb/sites-enabled/default sehemu idhini inaonekana kama hii:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Sehemu kuthibitisha sasa inaonekana kama hii:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Sasa uthibitishaji wa mtumiaji hutokea kulingana na algorithm ifuatayo:
- Mtumiaji huingiza mikopo ya kikoa katika mteja wa VPN.
- Freeradius hukagua uhalali wa akaunti na nenosiri
- Ikiwa nenosiri ni sahihi, basi ombi la ishara linatumwa.
- Ishara inathibitishwa.
- faida).
Chanzo: mapenzi.com